b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                     Private Collection Agencies Adequately\n                            Protected Taxpayer Data\n\n\n\n                                          March 26, 2008\n\n                              Reference Number: 2008-20-078\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                 WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           March 26, 2008\n\n\n MEMORANDUM FOR COMMISSIONER, SMALL BUSINESS/SELF-EMPLOYED\n                DIVISION\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Private Collection Agencies Adequately Protected\n                             Taxpayer Data (Audit # 200820021)\n\n This report presents the results of our review to determine whether private collection agencies\n (hereafter referred to as PCAs or contractors) were adequately protecting taxpayer data at the\n time of our review. This review was included in the Treasury Inspector General for Tax\n Administration Fiscal Year 2008 Annual Audit Plan and was part of the Information Systems\n Programs business unit\xe2\x80\x99s statutory requirements to annually review the adequacy and security of\n IRS technology.\n\n Impact on the Taxpayer\n The Internal Revenue Code authorizes the Internal Revenue Service (IRS) to enter into contracts\n with PCAs to assist in the collection of delinquent Federal Government tax liabilities. Our\n review found that taxpayer data provided to the PCAs under these contracts were adequately\n protected during transmission from the IRS and while stored on PCA computer systems.\n Inadequate security controls over taxpayer data provided to PCAs would create increased risks of\n unauthorized access, misuse, disclosure, modification, or destruction of taxpayer data.\n\n Synopsis\n Currently, the IRS has contracts with two PCAs to assist in the collection of delinquent Federal\n Government tax liabilities. As of February 2008, nearly 98,000 accounts had been provided to\n these contractors for resolution, representing more than $911 million. Under the terms of their\n\x0c                                        Private Collection Agencies Adequately\n                                               Protected Taxpayer Data\n\n\n\ncontracts with the IRS, PCAs must ensure that their computer systems are compliant with the\nFederal Information Security Management Act of 20021 and adhere to National Institute of\nStandards and Technology guidance. The National Institute of Standards and Technology\xe2\x80\x99s\nRecommended Security Controls for Federal Information Systems (Special Publication 800-53)\noutlines\n17 families of computer security controls that should be implemented. These control families\ninclude systems and communication protection, access controls, and audit records.\nWe reviewed the computer security controls over taxpayer data provided to the two current\nPCAs and determined that the controls were adequate. In particular, files were securely\ntransmitted from the IRS to the contractors and adequately secured on the contractors\xe2\x80\x99 systems.\nIn addition, workstations used by contractor collection personnel were adequately controlled to\nprevent unauthorized copying of taxpayer information to removable media or transfer via email.\nThe contractors also maintained adequate audit trails and performed periodic reviews, including\nreviews to identify unauthorized access to taxpayer data. We also identified best practices that\nshould be considered by current and future PCAs to strengthen computer security controls.\n\nResponse\nWe made no recommendations in this report and, therefore, did not require a formal written\nresponse from the IRS. However, key IRS management officials reviewed the report prior to\nissuance and agreed with the results of our review.\nCopies of this report are also being sent to the IRS managers affected by the report. Please\ncontact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant Inspector\nGeneral for Audit (Information Systems Programs), at (202) 622-8510.\n\n\n\n\n1\n    Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n                                                                                                   2\n\x0c                                          Private Collection Agencies Adequately\n                                                 Protected Taxpayer Data\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 2\n          Private Collection Agencies Implemented Adequate Security Controls\n          Over Taxpayer Data......................................................................................Page 2\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 4\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 6\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 7\n          Appendix IV \xe2\x80\x93 Treasury Inspector General for Tax Administration\n          Audit Reports on the Private Debt Collection Program................................Page 8\n\x0c                   Private Collection Agencies Adequately\n                          Protected Taxpayer Data\n\n\n\n\n                        Abbreviations\n\nIRS               Internal Revenue Service\nPCA; contractor   Private collection agency\n\x0c                                    Private Collection Agencies Adequately\n                                           Protected Taxpayer Data\n\n\n\n\n                                            Background\n\nThe Internal Revenue Code authorizes the Internal Revenue Service (IRS) to enter into contracts\nwith private collection agencies (hereafter referred to as PCAs or contractors) to assist in the\ncollection of delinquent Federal Government tax liabilities. Currently, the IRS has contracts\nwith two PCAs to assist in this effort: Pioneer Credit Recovery, Inc. in Perry, New York; and\nThe CBE Group, Inc. in Waterloo, Iowa. As of February 2008, the IRS had provided nearly\n98,000 accounts to these contractors for resolution, representing more than $911 million.\nUnder the terms of their contracts with the IRS, PCAs must ensure that their computer systems\nare compliant with the Federal Information Security Management Act of 2002.1 To meet this\nrequirement, the contractors must implement and adhere to National Institute of Standards and\nTechnology2 guidance. The IRS also evaluates the integrity of a contractor\xe2\x80\x99s computer systems\nto ensure that appropriate access controls are in place to protect taxpayer data.\nThe taxpayer data provided by the IRS to the PCAs for use in collecting delinquent taxes include\nSocial Security Numbers, names, addresses, and tax liability amounts. Due to the sensitivity of\nthese data, it is paramount that strong measures are implemented to protect taxpayer information.\nInadequate security controls over taxpayer data provided to contractors would create increased\nrisks of unauthorized access, misuse, disclosure, modification, or destruction of taxpayer data.\nWe focused on the security controls over the transmission of data between the IRS and the\ncontractors and the computer security controls used by the contractors to protect taxpayer\ndata. This review was performed in the Small Business/Self-Employed Division in\nNew Carrollton, Maryland, and the contractor worksites in Perry, New York, and\nWaterloo, Iowa, during the period December 2007 through February 2008. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n1\n Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n2\n The National Institute of Standards and Technology, under the Department of Commerce, is responsible for\ndeveloping standards and guidelines for providing adequate information security for all Federal Government agency\noperations and assets.\n                                                                                                          Page 1\n\x0c                                  Private Collection Agencies Adequately\n                                         Protected Taxpayer Data\n\n\n\n\n                                    Results of Review\n\nPrivate Collection Agencies Implemented Adequate Security Controls\nOver Taxpayer Data\nThe National Institute of Standards and Technology\xe2\x80\x99s Recommended Security Controls for\nFederal Information Systems (Special Publication 800-53) outlines 17 families of security\ncontrols that should be implemented in Federal Government computer systems. These control\nfamilies include systems and communication protection, access controls, and audit records.\nUnder the terms of their contracts with the IRS, PCAs are required to comply with National\nInstitute of Standards and Technology guidelines.\nWe reviewed the computer security controls over taxpayer data provided to the two current\nPCAs and determined that the controls were adequate to protect taxpayer data during\ntransmission to the contractors and while stored on the contractors\xe2\x80\x99 computer systems.\nSpecifically:\n    \xe2\x80\xa2   The contractors securely obtained files from the IRS through the IRS Registered User\n        Portal. Access to this Portal was limited to two users at each PCA who used their own\n        Portal user account to download the files to the contractor systems.\n    \xe2\x80\xa2   Files downloaded from the IRS were adequately secured on contractor systems. Each\n        contractor had appropriately restricted access to the downloaded files to only those\n        employees who needed to use the files in the performance of their duties.\n    \xe2\x80\xa2   The contractors configured workstations used by their collection personnel to prevent\n        copying files to the workstation or removable media. Collection personnel also did not\n        have access to email. By using web-filtering software, the collectors\xe2\x80\x99 Internet access was\n        limited to only a few sites they needed for locating taxpayer addresses and phone\n        numbers. Printing was limited and printouts were adequately secured to prevent\n        unauthorized removal.\n    \xe2\x80\xa2   PCA user accounts we reviewed had the appropriate authorizations for access to\n        contractor systems.\n    \xe2\x80\xa2   All contractor employees hired within the last 6 months had completed background\n        investigations. Because our March 2007 report3 found that background investigations\n\n\n3\n The Private Debt Collection Program Was Effectively Developed and Implemented, but Some Follow-up Actions\nAre Still Necessary (Reference Number 2007-30-066, dated March 27, 2007).\n                                                                                                     Page 2\n\x0c                                     Private Collection Agencies Adequately\n                                            Protected Taxpayer Data\n\n\n\n        were adequately completed, we limited the scope of this review to the 6-month period\n        prior to our site visits.\n    \xe2\x80\xa2   Contractor collection and other employee access to the collection application were\n        determined to be appropriate and based on business need.\n    \xe2\x80\xa2   The contractors maintained adequate audit trails and performed periodic reviews,\n        including reviews to identify unauthorized access to taxpayer data.\n    \xe2\x80\xa2   The contractors do not delete taxpayer files or remove them from their systems once a\n        case has been closed or recalled by the IRS, per the terms of their contracts. However,\n        the contractors adequately protected these data by restricting access to taxpayer data files\n        to only necessary employees. In addition, both contractors\xe2\x80\x99 computer applications\n        categorized closed or recalled taxpayer cases to restrict their access to authorized\n        managers and supervisors.\nIn addition, each contractor implemented a best practice that should be considered by current and\nfuture PCAs.\n    \xe2\x80\xa2   One contractor requires a second password, in addition to a standard username and\n        password, before access to the contractor\xe2\x80\x99s collection application is granted. This second\n        password is generated through a password token device, small enough to fit on a key\n        ring, which generates and displays a new password every 60 seconds. Each user\n        accessing the contractor\xe2\x80\x99s application is given a device, which is synchronized with a\n        secure server.\n    \xe2\x80\xa2   The other contractor places files downloaded from the IRS on a dedicated server.\nThe PCAs also took steps to address control weaknesses identified in the March 2007 Treasury\nInspector General for Tax Administration report previously cited and in IRS Safeguard reviews.\nWe reviewed the weaknesses listed on their Plan of Actions and Milestones4 and determined the\ncontractors took appropriate actions to address the weaknesses. See Appendix IV for a list of all\nTreasury Inspector General for Tax Administration reports on the IRS private debt collection\nprogram.\n\n\n\n\n4\n A Plan of Actions and Milestones is a management tool used to assist organizations in identifying, assessing,\nprioritizing, and monitoring the progress of corrective actions for security weaknesses found in programs and\nsystems.\n                                                                                                             Page 3\n\x0c                              Private Collection Agencies Adequately\n                                     Protected Taxpayer Data\n\n\n\n                                                                                 Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this audit was to determine whether PCAs were adequately protecting\ntaxpayer data at the time of our review. To accomplish this objective, we:\nI.     Determined whether taxpayer data are transmitted securely between the IRS and the\n       PCAs.\n       A. Identified security requirements for the transmission of taxpayer data from sources\n          such as the Internal Revenue Manual, National Institute of Standards and Technology\n          guidance, and PCA contract documentation.\n       B. Assessed the adequacy of controls over the transmission of taxpayer data between the\n          IRS and the contractors.\n       C. Identified the reasons for inadequacy of data transmission controls.\n       D. Assessed the impact of inadequate control weaknesses on privacy and security of\n          taxpayer data transmitted to and from the contractors.\nII.    Determined whether taxpayer data residing on PCA computer systems are secure.\n       A. Identified security requirements for taxpayer data maintained on computer systems\n          from sources such as the Internal Revenue Manual, National Institute of Standards\n          and Technology guidance, and PCA contract language.\n       B. Determined whether vulnerabilities identified in previous Treasury Inspector General\n          for Tax Administration and IRS security reviews had been adequately addressed.\n       C. Assessed the adequacy of data security controls over taxpayer data on PCA systems.\n          Tests included assessing whether contractor employee access to taxpayer data was\n          authorized and appropriate and evaluating the effectiveness of the contractors\xe2\x80\x99 audit\n          trail management for systems maintaining taxpayer data. We also assessed the\n          adequacy of background investigations for employees that were hired in the 6-month\n          period prior to our site visits to the contractor worksites.\n       D. Identified the reasons for inadequacy of data security controls.\n       E. Assessed the impact of inadequate control weaknesses on privacy and security of\n          taxpayer data residing at the PCAs.\n\n\n\n\n                                                                                          Page 4\n\x0c                               Private Collection Agencies Adequately\n                                      Protected Taxpayer Data\n\n\n\nIII.   Determined whether taxpayer data are appropriately disposed of after use by the PCAs.\n       A. Identified security requirements for the destruction of taxpayer data from sources\n          such as the Internal Revenue Manual, National Institute of Standards and Technology\n          guidance, and PCA contract language.\n       B. Assessed the adequacy of controls over destruction of taxpayer data on contractor\n          systems.\n       C. Identified the reasons for inadequacy of data destruction controls.\n       D. Assessed the impact of inadequate control weaknesses on privacy and security of\n          taxpayer data residing at the contractors\xe2\x80\x99 sites once the data are no longer needed.\n\n\n\n\n                                                                                            Page 5\n\x0c                             Private Collection Agencies Adequately\n                                    Protected Taxpayer Data\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nMichael Howard, Audit Manager\nRichard Borst, Senior Auditor\nMyron Gulley, Senior Auditor\nLouis Lee, Senior Auditor\nThomas Nacinovich, Senior Auditor\n\n\n\n\n                                                                                         Page 6\n\x0c                             Private Collection Agencies Adequately\n                                    Protected Taxpayer Data\n\n\n\n                                                                           Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of Commissioner \xe2\x80\x93 Attn: Acting Chief of Staff C\nDeputy Commissioner for Services and Enforcement SE\nDirector, Collection, Small Business/Self-Employed Division SE:S:C\nProject Director, Filing and Payment Compliance Modernization, Small Business/Self-Employed\nDivision SE:S:C:FPCMO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Commissioner, Small Business/Self-Employed Division SE:S\n\n\n\n\n                                                                                     Page 7\n\x0c                              Private Collection Agencies Adequately\n                                     Protected Taxpayer Data\n\n\n\n                                                                               Appendix IV\n\n Treasury Inspector General for Tax Administration\nAudit Reports on the Private Debt Collection Program\n\nThe Treasury Inspector General for Tax Administration has issued the following reports on the\nIRS private debt collection program:\n1. Management Needs to Continue Monitoring Some Case Selection Issues As the Private Debt\n   Collection Program Is Implemented (Reference Number 2006-30-064, dated\n   April 2006).\n2. The Revised Private Debt Collection Request for Quotation Adequately Addressed Prior\n   Deficiencies in the Solicitation Methodology (Reference Number 2006-10-078, dated\n   April 2006).\n3. The Private Debt Collection Program Was Effectively Developed and Implemented, but Some\n   Follow-up Actions Are Still Necessary (Reference Number 2007-30-066, dated\n   March 27, 2007).\n4. Complete Actions Were Not Taken to Validate the Best Software Solution Was Chosen for the\n   Private Debt Collection Program (Reference Number 2007-20-065, dated April 10, 2007).\n5. Invoice Audit of Fees Paid Under the Private Debt Collection Initiative (Reference\n   Number 2008-10-054, dated December 26, 2007).\n\n\n\n\n                                                                                         Page 8\n\x0c'